Homemade remote CLI for NetApp

Security is one of those things that everyone knows they need to do, but it rarely gets done to the level that it should be. This, at least in my experience, is primarily because security makes general, day-to-day tasks more difficult. Take, for instance, rsh. Rsh by itself is a great time saver…admit it…it’s great to just be able to execute commands from your admin host and have the results returned back. You can parse them however you like using standard operating system tools like grep, awk, and sed, and best of all (or perhaps worst…) you don’t have to type the password repeatedly.

However, all of the benefits of rsh can be realized using ssh, it just takes a little more setup. But, I’m not going to get into that today. What if you just want a way to securely execute commands against your NetApp without consuming the sole connection to your your filer via ssh (you have telnet and rsh disabled, right?). What if you don’t want to enable ssh, telnet, or rsh but still want to have a pseudo command line? Assuming you have SSL (https) access enabled, you can use the Perl SDK to access, and execute commands against, your filer almost like you were telnet/ssh’d into it.

The magic comes from the undocumented system-cli SDK command. It allows you to execute almost any command just as though you were sitting at the console.

The great part is that with this, you can accomplish probably 99% or more of all tasks having only one access method enabled to your NetApp: the https/ssl option. SSH, RSH, telnet and HTTP can all be disabled.

I say almost because there are two types of commands that do not work using the below Perl script. The first type is non-terminating commands. These, at least off the top of my head, are primarily the stats show commands with the –i option specified. With the –i option, the stats command repeats every number of seconds specified. Now, the caveat to this is that you can also specify a –c option that limits the number of occurrences to the number specified. The downside to this is that if you issue a command like stats show –i 5 –c 5 volume:*:read_ops then the command will take 25 seconds, at which point the results, as a whole, will be returned.

This also applies to issuing man commands. Man will not return (at least with the simulator) to STDOUT, so system-cli doesn’t capture the output.

So, without any more pontificating by me, here is some sample output and the script. If you would like to see additional examples, let me know in the comments.

Sorry for a very delayed response, hope you won’t hold it against me : ) What version of the SDK are you using? There seems to be some inconsistencies between the versions and I’m trying to narrow down the problem versions.

Very interesting script. My apologies if I’m missing the point, but I have to ask, why? I have ssh set up for my filers, with rsh and telnet turned off as well. What I do instead from RHEL5 server is set an extremely short alias (for me it’s the last 2 digits of the serial number) to the ssh @ command and simply type

12 lun show
12 aggr show_space -g

etc. Your issues of commands that return constant output like sysstat -x 1 or a lun stats, etc, they work in real time like you’re on the controller, yet I’m not hogging the session. I also have the added benefit of all the unix shell utilities as well, so if I want to search for a lun for a server, it’s just

12 lun show | grep

and all of them show up in a list. Hate how the volumes don’t come in alphabetical order?

12 df -h -s | sort

etc etc etc. I also have the ability to up arrow, home, then change the first 2 digits to execute on another controller, or just do ^12^13 to substitute controller 12 for 13 and execute the same command. This makes swapping between controllers very easy.

Admittedly, there isn’t a great number of uses for the script in it’s current form. My main desire when I started creating this script was to see if it is possible to give a pseudo environment for the plethora of scripts that have been written to parse RSH/SSH output from a NetApp.

Eventually I’d like to make it so that rather than RSH/SSH to a filer to get that information, you simply alias a script like this one to “act” like the command line. This ensures that the communication takes place securely (assuming you are using HTTPS)…it also eliminates one of the major hurdles that a lot of people have with getting rid of RSH access…namely, configuring the key based authentication.